parameterized query with wildcard
andrew at ctech.me
Tue Jul 28 12:18:26 EDT 2015
Should have read, *proper escaping*.
On Tue, Jul 28, 2015 at 11:17 AM Andrew Kluthe <andrew at ctech.me> wrote:
> Does revDataFromQuery do any sanitizing/proper to prevent me from sneaking
> extra SQL into your search box like an injection style attack, or does it
> just plop whatever you give in there no questions asked? Just curious. I
> have always been spoiled by SQLYoga or rolled my DB interfaces up into API
> servers of some kind.
> On Tue, Jul 28, 2015 at 11:09 AM Dave Kilroy <dave at applicationinsight.com>
>> Mike, assuming you are searching the db with parameter pSearchTerm, try
>> something like this:
>> put "%" & pSearchTerm & "%" into tSearchTerm
>> put "SELECT * FROM foo WHERE bar LIKE :1" into tQuery
>> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
>> "The difference between genius and stupidity is; genius has its limits."
>> - Albert Einstein
>> View this message in context:
>> Sent from the Revolution - User mailing list archive at Nabble.com.
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
More information about the Use-livecode